Month: January 2014

The latest story in the Guardian about surveillance reveals something that is deeply disturbing. It seems that David Cameron’s enthusiasm for mass surveillance comes from watching TV dramas. As quoted in the Guardian:

” I love watching crime drama on the television, as I should probably stop telling people. There is hardly a crime drama that is not solved without using the data of a mobile communications device. If we don’t modernise the practice and the law over time we will have the communications data to solve these horrible crimes on a shrinking proportion of the total use of the devices.”

Apart from the obvious questions like how a busy Prime Minister manages to spend so much time watching TV, it does raise a lot of questions about the basis for this kind of policy – and confirms a lot of the suspicions that many of us in the privacy field have had for a while. This kind of policy is based on ‘feelings’ and ‘suspicions’ that this kind of thing works, fuelled by fiction rather than evidence.

Cameron seems to have missed the point that this is fiction, not fact. Watching Spooks is no substitute for studying reality – and finding evidence that this kind of approach works in reality has proved very difficult in recent months. Spies in fiction tend to be far more effective than spies in reality – and drawing any conclusions from their actions is more than just absurd, it’s dangerous and deeply disturbing.

This government has often shown deep disdain for evidence – Michael Gove’s education policies and Iain Duncan Smith’s approach to welfare (which he has recently attempted to justify on the basis of the ‘reality’ TV programme ‘Benefits Street’) seemed to have almost no basis in reality at all, and the evidence often points directly against their effectiveness. Owen Paterson’s badger cull flew in the face of the evidence in almost every way. Theresa May’s approach to immigration ignores almost all the evidence (but sadly it’s echoed by the immigration policies of all the other parties).

This is no way to govern – and the Prime Minister in particular should be ashamed of himself. It’s not just the lack of evidence that surprises me, though, it’s the brazen way that the Prime Minister seems to think it’s OK to offer up fiction to support his arguments. That’s just not right, in so many ways. We need to be clear about that, and tell him so.

The latest revelation from the Snowden leaks has caused a good deal of amusement: the NSA has been ‘piggybacking’ on apps like Angry Birds. The images that come to mind are indeed funny – I like the idea of a Man in Black riding on the back of an Angry Bird – but there’s a serious point and a serious risk underneath it, one that’s particularly pertinent on European Data Protection Day.

The point is very simple: the NSA can only get information from ‘leaky’ apps like Angry Birds if those apps collect the information in the first place. If we want to stop the NSA gathering data about us, then, ultimately, the key is to have less data out there, less data gathered – less data gathering, and by commercial entities, not just by governments. Why, you might (and should) ask, does Angry Birds need to gather so much information about you in the first place? And, more importantly, should it be able to?

“The NSA didn’t wake up and say, ‘Let’s just spy on everybody.’ They looked up and said, ‘Wow, corporations are spying on everybody. Let’s get ourselves a copy.’”

If we want to stop the NSA spying, the first and most important step is to cut down on commercial surveillance. If we want the NSA to have less access to our private and personal data, we need to stop the commercial entities from have so much of our private and personal data. If the commercial entities gather and hold the data, you can be pretty sure that, one way or another, the authorities – and others – will find a way to get access to that data.

That’s where data protection should come in. One of the underlying principles of data protection is ‘data minimisation’: only the minimum of data should be held, and for the minimum length of time, for a specific purpose, one that has been explained to the people about whom the data has been gathered. Sadly, data minimisation is mostly ignored, or at best paid lip service to. It shouldn’t be – and we should be getting angry about it. Yes, we should be angry that Angry Birds is ‘leaky’ – but we should be equally angry that Angry Birds is gathering so much data about us in the first place.

Whatever happens with the reform of data protection – and the reform process has been tortuous over the last two years – we shouldn’t let it be weakened. We shouldn’t let principles like data minimisation be watered down. We should strengthen them, and fight for them. Data Protection has a lot of problems, but it’s still a crucial tool to protect us, and not just from corporate intrusions but from the excesses of the intelligence agencies on others. On European Data Protection Day we should remember that, and do our best to support it.

The importance of privacy is often downplayed. It sometimes seems as though privacy is viewed as something bad, something inherently selfish, something that ‘good’ people don’t need or really want – or at the very least are willing to sacrifice for the greater good. To me, that displays a fundamental misunderstanding of privacy and of the role it plays in society. Privacy isn’t selfish – though it is sometimes used for selfish means – it’s one of the crucial elements of a functioning society. We all need privacy – and not just for our personal, individualistic needs, but to be able to function properly in society. We need to have our privacy respected – and we need to respect others’ privacy.

Two current stories exemplify both the importance of privacy and the way that the arguments often get skewed: the debate over mass surveillance of the internet, and the issue of the ‘opening up’/’selling off’ of health data from the NHS (the ‘care.data’ story).

Mass surveillance and selfishness

The argument here (which I’ve discussed before, most recently here) is that the only reason to oppose mass surveillance is to protect your own, individual and selfish personal privacy. As ‘good’ people have ‘nothing to hide’, they’ve got ‘nothing to lose’ by sacrificing this individual, selfish concern for the greater good. As Sir Malcolm Rifkind put it:

“There is a balance to be found between our individual right to privacy and our collective right to security.”

The implication of Rifkind’s words is pretty clear – the collective right to security is more important. It’s ‘collective’ rather than ‘individual’ – and hence altruistic rather than selfish. There are many holes in the argument. Surveillance impacts upon rights that are far from individual or selfish – chilling free speech (and the right of others to hear your speech), limiting rights to assemble and associate both offline and online and more. It creates a power imbalance between those who have the information (in this case the authorities) and those about whom the information is held (in this case each and every one of us) which ultimately undermines pretty much every element of how our society functions. That’s why police states are so keen on surveillance and information gathering – it gives them control. It’s not just selfish to want to avoid that kind of control – it’s for the good of the society as a whole.

Furthermore, the idea that only those who have ‘something to hide’ should be concerned about privacy is in itself fundamentally flawed. People don’t just want to hide ‘bad’ or ‘discreditable’ information – and privacy isn’t just about ‘hiding’ things either. Privacy is about autonomy – about the ability to have at least an element of control over what information about them is made available to whom. Some information you might be happy to share with your friends but not with your parents, your employers or the government. What you might want to share can change over time – even the nicest things are often best held back for your own reasons. It’s not selfishness – it’s humanity.

Health data and selfishness

The parallels between the care.data debate and the debate over mass surveillance may not be immediately apparent, but the two issues are closer than they might seem. The argument goes broadly like this: those who are objecting to the sharing of health data are selfishly worrying about a minuscule risk to their own, individual privacy and should be sacrificing that selfishness to the collective good created by the sharing of health data. Just as for mass surveillance, the balance suggested is between an almost irrelevant selfishness and a general and bountiful good created by the sharing of health data.

Again, I think this argument is misstated – though perhaps not as clearly as with mass surveillance. The first thing to say is that the risk to individual privacy is not minuscule. The suggestion by the proponents of the system is that because the data is ‘anonymised’ then privacy is protected. The problem is that anonymisation, both theoretically and practically, has generally been shown to be ineffective. ‘Anonymous’ records can be deanonymised – and individual, personal and deeply private information can be extracted.

The next question is whether making this data available will actually benefit the ‘collective good’. The assumption that seems to be being made – the image being presented – is that the data will go to research laboratories developing cures for terrible diseases. If we don’t let this data be shared in this way, we’ll stop them developing cures for currently incurable cancers and so forth. The reality appears likely to be quite different – one key aim seems to be to sell the data to drug companies and insurance firms. Both of these aims need to be handled with a great deal of care.

As for mass surveillance, the ultimate result may well be more about a transfer of power from individuals to organisations that may well be far from benevolent. A society where those in control of health care – and in particular access to health care (either to services or to drugs) have complete informational control over individuals is in some ways just as bad (and remarkably similar) to one where authorities have informational control over people. In a society like that in the UK where there is increasing and creeping privatisation of health services this is particularly worrying. Being concerned about this isn’t selfishness.

A more privacy friendly society?

In both cases, it is important to understand that we’re not left with just one choice. This isn’t black and white. It’s not ‘mass surveillance or anarchy’, or ‘complete health data sharing or a collapse in public health’. It really is about balance – but finding the balance should be based on a more appropriate and accurate analysis of the issues. For mass surveillance we need to look more carefully at the impact of that surveillance, and ask for more evidence of the collective benefit.

For health data we need to look more carefully – much more carefully – at the risks of deanonymisation. And, if we can ameliorate those risks appropriately, we need to set the terms of the ‘opening up’/’selling off’ of the data in a way that benefits society. Drug companies should only get access to that information if they make appropriate commitments to make the drugs they develop available in forms and at prices that benefit society – and the NHS in particular. For insurance companies the terms should be even tougher – if they should be allowed access at all.

Most of all, though, we need to have a proper debate about this, and the case needs to be made. Anyone who has received the care.data leaflet through their door (mine came last week) should be shown how much it shows only one side of the argument. This is a critical moment – for both health data and surveillance. What we do now will be very hard to reverse, not just for us but for future generations. To care about them is the opposite of selfishness.

Evidence seems to be mounting that mass surveillance isn’t actually very good at dealing with terrorism. Hot on the heels of the admission by the NSA that their mass surveillance of telephone call data had only been helpful in a single terrorism-related case, a detailed new report by the New America Foundation seems to suggest that their other surveillance programmes, including the PRISM programme, are also conspicuously ineffective. It is not, of course, possible to draw hard and fast conclusions from these analyses. It is still very early days, and the very nature of the field means that information is hard to get, and that the authorities are (often entirely appropriately) unwilling to divulge many details. Nonetheless, the trend of the information appears to strongly suggest that mass surveillance does not really deal with terrorism very successfully.

This isn’t a great surprise to many of us working in the field of privacy and surveillance – it confirms what most of us have long suspected. It does, however, raise a great many questions, questions which the authorities responsible for the surveillance have seemed unwilling to acknowledge, let alone answer.

A waste of resources?

The first of these is if mass surveillance is ineffective at dealing with terrorism – as the evidence seems to be suggesting that it is – how many more terrorism plots could have been foiled if the enormous amount of money, time, effort and expertise that has been devoted to these programmes over the years had been put into other methods of counter-terrorism? There are other ways to work, and the authorities not only know this but they use these other methods. More ‘conventional’ intelligence work, for example, seems to have been more successful – indeed, it could scarcely have been less successful than the mass surveillance programmes. At a time of austerity, when everyone’s budgets are being squeezed, why are we spending so much on something that seems supremely inefficient and ineffective?

If not counter-terrorism, then what?

The intelligence services must know that these programmes don’t actually do much to counter terrorism. Whatever we think about them, they’re certainly no fools. If they don’t do what the authorities have been claiming, then why are the intelligence services so keen on mass surveillance? Is it, as has been suggested, that though they’ve done little to deal with terrorism so far that they’re some kind of ‘insurance policy’ against future terror issues? It’s not an entirely convincing suggestion – particularly when the way that resources could be reallocated something more efficient, and without such damaging side effects, is considered. The argument made that such a programme has to be successful only once to be worthwhile falls apart when you consider that wasting time and money on these programmes could have stopped you putting that time and money into something that would have stopped another attack.

Surveillance as control?

So, if it’s not about counter-terrorism, then what is it about, and why are the authorities unwilling to admit their reasoning? As I have argued before (for example here) though mass surveillance is unlikely to be very effective at dealing with terrorism it is much more effective at dealing with mass movements, with protest, with dissent. It can provide a degree of control over populations – partly through the way that it can be used to aggregate information, to monitor trends, to see what the masses are talking about, what online sites they’re visiting and so forth, and partly because it enables that information to be used to actually manipulate people’s activities. Things like automated blocking of popular sites (perhaps using the kinds of mechanisms built into the ‘porn-filters’ currently being pushed by the UK governments) work well with surveillance to produce this kind of control.

Is this something that the intelligence agencies – or their political masters – would like to be able to do? It seems entirely likely, both from a theoretical perspective and when the history of the way that movements like anti-nuclear and environmental campaigns have been watched, infiltrated and undermined by both police and intelligence services. In some ways this is valid work – the border between peaceful protest and violent riots is at times blurred – but at times it certainly is not, and the idea of mass surveillance designed for this kind of thing is a far cry from mass surveillance to counter terrorism.

This may indeed be the clue to why, despite the increasing evidence that the effectiveness of mass surveillance as a counter-terrorism tool is limited at best, the authorities keep on putting it forward as justification. People are afraid of terrorism – and willing, it seems, to sacrifice a lot of deal with that fear. The message that we need to allow surveillance to deal with it is something that can be made to seem acceptable – particularly in the UK.

More evidence needed…

All the evidence discussed at the start of this post comes from the US – because in the UK we seem to be far, far too accepting of what we’re told by the authorities. The ‘public’ hearing of the Intelligence and Security Committee is all we’ve had, and it was an embarrassingly stage-managed exercise that told us nothing at all except that the Intelligence and Security Committee is neither willing nor capable of holding the intelligence services to account. That should not be acceptable. It is to our shame, in the UK, that we are not willing to ask the difficult questions of our intelligence services. At present we have to rely on vague assurances and a general message that we should ‘trust’ them. That’s not enough – and as the evidence from the other side of the Atlantic builds that mass surveillance does not do what they have been telling us, we should be asking for more, and asking loudly and often.

Until they do provide that evidence, it is hard not to conclude that the surveillance systems have been built for something quite different from what they’re telling us. If that’s true, we should be asking even more questions – even harder ones.

Before I write the few small things I want to say about Romania, I want to make one thing entirely clear. I’m biased. Biased in favour of Romania. I know the country pretty well – I’m married to a Romanian woman, and have visited the country many times over the last ten years or so. I know a lot of Romanian people – and like them. There is, as a consequence, no way that I could possibly write anything about Romania that wasn’t biased…. and it’s also true that this post is based on pretty much entirely anecdotal information – from my various trips to Romania over the years, and in particular over this last week. I’m not going to attempt to give an economic analysis, I’m not going to try to ‘prove’ anything about how many Romanians will come over here to the UK, how many of them will claim what kind of benefits, how many of them will commit what kind of crimes etc etc. I don’t have that data – but neither, I suspect, do the people making most of the claims about what will happen over the next few years as a result of the changes in rules for Romanians and Bulgarians.

What I do want to say, though, is that the way that Romanians are being portrayed in the press and by politicians seems to have almost no resonance with my experience of the country. Romania is not a country full of poor, desperate people looking for the first opportunity to leave and to come to the UK to steal our jobs/leech off our benefits/drain our health service/run criminal gangs. It’s not a country, as some have tried to tell me recently, with a culture that is somehow alien to ours, incompatible, bound to cause conflict. It really isn’t. It’s a place where people are, once you get to know them, very like the people of the UK. The kinds of conversations I’ve had over the last week would seem very familiar to most people: worries about the education system, discussions of fashion, a mother bemoaning her daughter’s love of One Direction, complaints about self-serving and incompetent politicians (!).

I spent most of the week in Bucharest – and it’s a European capital that anyone who’s spent much time in Europe should find familiar. Yes, there are many of the old-style communist blocks, but there are also old churches and museums, brand new shopping malls, drive-through McDonalds, big, out-of town shops like IKEA and Decathlon. The images you may find on the pages of the Daily Mail of shanty-towns and peasant farms do exist – but to imagine that they represent ‘the real’ Romania would be as accurate as assuming that the abysmally manipulative TV portrayals in programmes like ‘Benefit Street’ are a real representation of life for most Britons.

Unsurprisingly, the subject of the change in rules for Romanians in the UK did come up in conversation a few times, but mostly with wry smiles. Most of the Romanians I know are fundamentally pragmatic people – many people who’ve had to live through repression have had to learn how to ‘find a way’ to solve problems, rather than have them solved for them. They find the current obsession of the British press and politicians amusing for the most part. They don’t think anyone will change their behaviour – those that wanted to come to the UK have already come to the UK. The economy in Romania seems to have bottomed out, and is turning a corner – why would they want to leave now?

That’s the other thing – Romanians, surprisingly enough, generally rather like Romania. They don’t have a particular desire to leave – and the idea that they’re all desperate to come over here is patently ridiculous. As for those twin red herrings of ‘health tourism’ and ‘benefit tourism’, well, they’re both complete jokes. The Romanians I know generally trust Romanian doctors, and the Romanian health service, far more than they would trust the UK’s system. If they got ill when in the UK, I’d expect them to fly home to get treatment, not to use the UK’s system. And Romanians, just like Brits, don’t generally like the idea of benefits. They’re proud people – in David Cameron’s detestable terms, ‘hard-working people’ – for whom benefits are a safeguard, not a ‘lifestyle choice’. I notice, however, that it’s the same kind of people in the UK who have fallen for the hideous ‘striver-scrounger’ agenda who somehow imagine that immigrants are part of that same pattern. It isn’t real in the UK, and it isn’t real for Romanian immigrants either.

Anyway, that’s all by-the-by. In practice, I didn’t see any floods of Romanians queuing up to enter the UK. My flight back from Bucharest to Luton was no more full than the flight I had taken the other way. There was no desperation – just ordinary people flying on ordinary flights. I was a touch disappointed not to be met by Keith Vaz or a few journalists from the Daily Mail…

…and even if Romanians do come here in big numbers, it wouldn’t be a bad thing. Immigration is generally a good thing, once we overcome our fears. Then again, I would say that. I’m biased.